topic Re: problem with the date and timestamp in Splunk Search

problem with the date and timestamp

abhayneilam — Fri, 16 Nov 2012 04:15:11 GMT

Hi,

I have a field in a file which contains the date which is in dd/mm/yyyy format as follows:

BEGIN_TIME NAME LOC
5/11/2012 abhay kolkata
6/11/2012 murari raniganj

These two data is of 5th and 6th November 2012 , but When I am searching with the BEGIN_TIME field I am not getting these value( I am getting no data , because SPLUNK is considering 11th May and 11th June data )

Please suggest me how to solve this issue , need ur urgent help

Thanks for your help!!

Re: problem with the date and timestamp

Damien_Dallimor — Fri, 16 Nov 2012 04:23:33 GMT

In props.conf you can declare the TIME_FORMAT for this particular source/sourcetype etc..

More info here : http://docs.splunk.com/Documentation/Splunk/5.0/Data/Configuretimestamprecognition

Re: problem with the date and timestamp

abhayneilam — Fri, 16 Nov 2012 05:50:10 GMT

I wrote TIME_FORMAT = %d/%m/%Y in props.conf and it is working fine for the newly imported data, but still facing the same issue for the data which has been already imported, How to get out of that problem , please help, props.conf will help me out for the new data imported but not the data which is already imported

Thanks in advance !!

Please help

Re: problem with the date and timestamp

Damien_Dallimor — Fri, 16 Nov 2012 06:19:15 GMT

You'll need to re index the prior data.

Re: problem with the date and timestamp

abhayneilam — Fri, 16 Nov 2012 07:10:15 GMT

How do I re-index the prior data , please help

Re: problem with the date and timestamp

smolcj — Fri, 16 Nov 2012 07:20:36 GMT

http://splunk-base.splunk.com/answers/50339/timestamp-issue-in-splunk

Re: problem with the date and timestamp

Ayn — Fri, 16 Nov 2012 08:23:23 GMT

You do know there's a product manual?...I mean sure we're here to help but you'll solve problems so much quicker if you could read up on things instead of asking about every small detail here.

Re: problem with the date and timestamp

abhayneilam — Fri, 16 Nov 2012 08:36:46 GMT

I have read the documents but since I dont have any real time exp, I am not able to connect the real solutions with my problems, when I am getting the ans from you guys then it is clicking in my mind "oh ok ok so this one is the solution for this problem, I have read this before" ...I myself wrote the TIME_FORMAT = %d/%m/%Y line in props.conf and got it done, but again facing same issue for already indexed data

Re: problem with the date and timestamp

Ayn — Fri, 16 Nov 2012 08:56:50 GMT

Right. Well you will need to reindex your data. Just use the info in the link above.

Re: problem with the date and timestamp

abhayneilam — Fri, 16 Nov 2012 09:41:37 GMT

I am using following commands :

$SPLUNKHOME/bin/splunk stop
$SPLUNKHOME/bin/splunk clean eventdata -index myindex -f
$SPLUNKHOME/bin/splunk start

after that I am going to create a new index "newmyindex" and rest of the configuration will be the same , will it work if I do like that ?

Please suggest

Re: problem with the date and timestamp

Ayn — Fri, 16 Nov 2012 11:09:24 GMT

Sounds about right. Why not try it with some sample data? That's the easiest way to learn.